Risk Governance

After completing this reading, you should be able to:

• Explain Basel regulatory expectations for an operational risk management framework’s governance.
• Describe and compare the roles of different committees and the board of directors in operational risk governance.
• Describe the “three lines of defense” model for operational risk governance and compare roles and responsibilities for each line of defense.
• Explain the best practices and regulatory expectations for developing a risk appetite for operational risk and strong risk culture.

The Basel Regulatory Expectations for the Governance of an Operational Risk Management Framework

In June 2004, Basel II published its first changes to regulate operational risk. Three regulatory pillars were introduced, broadening the scope of prudential supervision beyond minimum capital requirements.

Pillar 1: Regulatory Capital

This pillar involves calculating the minimum level of capital banks require to cover the risk of unexpected losses from credit, market, and operational risks and the minimum ratios required to limit liquidity risks.

Pillar 2: Supervisory Review Process

Pillar 2 capital requirements can include additional capital requirements (“add-ons”) depending on a regulated entity’s risk profile.

Pillar 3: Market Discipline

Pillar 3 requires that financial institutions disclose their quarterly or yearly financial and risk information.

In 2003, having learned that regulatory capital was not enough to cover operational losses, Basel introduced mandatory principles for managing operational risk. These were later revised in 2011 to include lessons learned from the financial crisis. In March 2021, a revised version of the principles was published, which saw an increase from 11 to 12 principles.

Table 1.1.: BCBS Revisions to the Principles for the Sound Management of Operational Risk

Principles:

1. Culture led by the board of directors and implemented by senior management.
2. Maintenance of a sound and proportionate operational risk management framework (ORMF).
3. Board review and approval of ORMF.
4. Risk appetite and tolerance statement for operational risk to be approved and periodically reviewed by the board.
5. Senior management role in ORM policies and systems development and implementation.
6. Comprehensive identification and assessment of operational risk in material activities.
7. Change management process adequately resourced and articulated.
8. Regular monitoring of operational risk profile and exposures.
9. Strong control environment: internal controls, mitigation, training, and risk-transfer strategies.
10. Robust information and communication technology (ICT) management program, in line with ORMF.
11. Business continuity plans in place and linked with ORMF.
12. Public disclosures on approach to ORM and risk exposures.

After the 2007-2009 financial crisis, Basel II was partially reformed. However, operational risk rules remained unchanged. The Basel Committee initiated an operational risk capital reform in 2015. As a result, Basel III was updated in December 2017, discontinuing the three-tier regulatory capital regime for operational risk. The Standardized Measurement Approach (SMA), later renamed Standardized Approach (SA), is the new method, effective from January 2023 and shall be in use up to January 2025.

BCBS greatly influences the operations of major regulatory bodies across the globe. Regulated institutions are advised to constantly refer to publications issued locally by regulators. This will enable them to meet their regulatory requirements and gain guidance on operational risk management.

Supervisory risk management involves:

• Assessing the risk profile in a forward-looking manner.
• Developing robust governance policies and processes to facilitate the establishment of a robust risk management framework.
• Identifying and managing all material risks per the firm’s risk appetite and ensuring an effective control environment.

Supervisors are expected to frequently assess the ORM framework of banks by examining their policies, processes, and systems relating to operational risk.

In case the assessment does not go as expected, supervisors should take necessary measures to ensure that banks address the identified weaknesses. 

In addition, supervisors should support the bank’s efforts by monitoring, comparing, and evaluating the bank’s performance.

Regulators expect ORM to go beyond a paperwork compliance exercise. It should be a more practical exercise and an integral part of all activities. To put it another way, risk management is fundamental to every business decision, and the staff should be involved at all levels of decision-making.

Regulators and auditors should ask banks to show how they reach their decisions and examine whether such decisions are made considering risk.

To examine whether an ORM framework is being implemented in a firm, the following questions should be asked:

• Is there evidence that all material events are captured in event reports? Do reports provide lessons and root-cause analysis? Does this include near misses?
• Is the basis for risk and control assessments robust and consistent? Are the right people involved? Are the assessments challenged and peer-reviewed to ensure consistency across the organization?
• Does the value of each risk indicator come from an independent source? Do line managers (the risk owners) approve of the indicators as being the best? How often are they refreshed?
• Scenarios: Are they sufficient enough? Do they remain realistic while being sufficiently extreme? Is the assessment objective, documented, and repeatable?
• Coverage: Do the reports sufficiently cover the ORM scope?
• Risk reporting: Are the presented data sufficient for decision-making? Does the information pertain to the level of management it is intended for?

Firms are expected to document and report all the activities as evidence for using an operational risk management framework. In other words, a firm should be able to provide evidence that the practice takes place. Therefore, all firm committees and management should keep a record of their discussions, decisions, and issues.

To avoid suffering regulatory compliance fines, firms should read and understand all consultation papers and policy documents to ensure that they meet the regulatory expectations. The staff should have sufficient knowledge of their material documents and be asked to confirm that they fully understand the material in their possession each year.

Whenever there is a new regulatory expectation, a firm should have a team that reviews such updates and presents them to the team during their next meeting.

The Roles of Different Committees and the Board of Directors in Operational Risk Governance

According to the Bank for International Settlements (BIS), banks should integrate their risk governance function into their overall risk management governance structure. To achieve effective risk governance, the firm should establish strong internal controls marked by a clear designation of roles and responsibilities.

A company’s operational risk is managed through several committees. These committees make collegial decisions based on information provided by different levels of the firm’s decision-making hierarchy and information escalated by those committees. The size and complexity of the firm influence the number of committees.

The lowest tier of the operational risk committee setup is typically determined by the type of business operations (i.e., corporate banking, investment banking, or support services) or geographic locations (such as countries or regions). This level of the risk committee oversees operational risk in its respective area and escalates information to help build up an accurate overview of the overall operational risk profile. In addition, any issues that arise above predetermined limits will be reported to a firmwide risk committee or second line of defense group for further examination.

At this lower level, it is important to note that each committee has a distinct purpose and must work within a specific set of constraints. For example, the corporate banking committee will evaluate potential risks arising from activities in their sector. In contracts, the investment banking committee will assess investment-related risks associated with their part of operations. Similarly, a country-level committee must gauge potential risks from operations located across a single nation. In contrast, regional committees will consider risks originating from multiple countries within one region.

The operational risk committee is entrusted with the important responsibility of overseeing, managing, and monitoring operational risks. It then presents a comprehensive and consolidated view of all operational risks to the executive risk committee management, management committee, and board risk committee. The concerned committee can then analyze and identify any potential operational risk issues or threats, create strategies to control and mitigate these risks, and implement plans to monitor relevant risk indicators. They may also be responsible for developing procedures to ensure that all operational activities are conducted in accordance with applicable regulations and internal policies. Furthermore, they must provide regular reports to the executive risk committee management, including an assessment of current risk levels and the effectiveness of existing controls.

The board-created enterprise-level risk committee (board risk committee) oversees all operational risks. The committee is vital in ensuring that all potential risks are identified and managed appropriately. This involves conducting ongoing assessments of the organization’s operations to identify any risks or deficiencies before they manifest into larger issues. Additionally, this committee works in close cooperation with senior executives across various departments to further enhance the organization’s overall control environment. Their efforts help ensure that operations are conducted safely and efficiently while mitigating any financial losses from emerging risks.

The board risk committee makes recommendations to the full board with regard to risk-based decisions, risk exposure, and risk management.

 The Roles of the Board of Directors

The board of directors is mandated to approve and periodically review the operational risk management framework. The board should oversee senior management to ensure that the policies, processes, and systems are implemented effectively at all decision levels.

With respect to Principle 3, the board of directors should:

• Establish a culture and processes that help everyone – including board members, managers, and employees – understand the nature and scope of operational risks.
• Regularly review the ORM Framework to ensure that it considers emerging/evolving risks.
• Provide senior management with guidance regarding operational risk management and approve policies developed by senior management to manage operational risk.
• Ensure that the bank has identified and is managing operational risks arising from external market changes and other environmental factors by regularly reviewing, evaluating, and approving the ORM Framework.
• Ensure the ORM framework is subject to independent review by sufficiently skilled personnel.
• Ensure that management follows the evolution of best practices and avails themselves of these changes. 

The Three “Lines of Defense” Model for Operational Risk Governance

The Basel Committee defines operational risk as “the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events.” It includes legal risk but excludes strategic and reputational risk. Many programs that manage risks in banks take effective management of operational risk as a fundamental element that is inherent in all banking products, systems, activities, and processes. Therefore, sound operational risk management reflects the board’s and senior management’s effectiveness in the administration of portfolio products, activities, processes, and systems.

Firms often employ 3 lines of defense to be able to control operational risks:

First Line of Defense: Business Unit Management

In modern banking, banks have established several business lines that work with some level of independence, but they all work towards attaining a set of institution-wide goals. Each business line is faced with its own operational risks and is responsible and accountable for assessing, controlling, and mitigating these risks.  

Front-line risk management involves all commercial and front-office operational functions or simply business functions.

An effective first line of defense consists of the following responsibilities:

• Evaluating and identifying operational risks inherent in the business.
• Developing appropriate controls.
• Evaluating the effectiveness and design of these controls.
• Keeping track of the operational risk profiles of the business units and reporting them.

Roles and Responsibilities of the Risk Champions and “Line 1.5”

Even though ORM is decentralized by nature, i.e., everyone can take part in managing operational risk, not everyone in a firm has the capacity to have a deeper understanding of risk management. As a result, firms appoint “risk specialists” or “risk champions” within each business unit. Risk specialists are also known as the line “1.5” or “1.b”. The following are the roles of risk specialists within the first line of defense:

• Serving as the principal correspondent for risk management issues.
• Keeping track of risk events and losses through the collection and recording of data.
• Identifying risks and controls in accordance with the group definitions (where applicable).
• Making follow-ups on the implementation of the control rules, the risk management action plans, and the audit tracking process.

Second Line of Defense: An Independent Corporate Operational Risk Management Function

This is a functionally independent corporate operational risk function (CORF) involved in policy setting and provides assurance over first-line activities. The CORF generally complements the operational risk management activities of individual business lines.

Responsibilities of the CORF may include:

• The development and maintenance of operational risk management and measurement policies, standards, and guidelines, as well as the design and delivery of operational risk training to promote awareness and competency concerning operational risk.
• Establishing an independent view of the business units’ risk management activity, including the identification of material operational risks, the design and effectiveness of key controls, and the respect of risk appetites and tolerances.
• Assessing the relevance and consistency of the department’s implementation of operational risk management tools, measurement activities, and reporting systems and providing evidence that this is an effective approach.
• Reviewing and taking part in the monitoring and reporting of the operational risk profile.

Although the CORF enjoys some level of independence in all banks, the actual degree of independence differs among banks. The CORF function in small banks often achieves independence through the separation of duties and independent review of processes and functions. For larger banks, the CORF enjoys a reporting structure that’s independent of the risk-generating business lines. The CORF has the mandate to design, maintain, and continually develop the operational risk framework within the bank.

A key function of the CORF is to challenge the business lines’ risk management activities so as to ensure that all decisions and actions taken align with the bank’s risk measurement and reporting framework. To ensure that the CORF is effective in its work, it should have enough skilled personnel to manage operational risk.

Third Line of Defense: Independent Assurance

The third line of defense consists of the bank’s audit function, which performs independent oversight of the first two lines. Everyone involved in the auditing process must not be a participant in the process under review. An external party can also conduct the review. The independent review team usually reports directly to the Audit Committee (a committee of members of the board of directors) on internal control, compliance, and governance.

According to the Institute of Internal Auditors (IIA, 2017), the internal audit should interact with the risk management, compliance, and finance functions in the following ways:

• Corporate governance structures must include effective risk management, compliance, and finance functions. This should not be the responsibility of, or a part of, an internal audit.
• An internal audit should assess the effectiveness and adequacy of risk management, compliance, and finance functions. A company’s internal audit should never rely exclusively on risk management, compliance, or finance to evaluate the effectiveness of internal controls. The internal audit itself should always assess a sample of the activities under review.
• As part of its risk assessment, internal audit should make informed decisions regarding the appropriateness of incorporating relevant work handled by others, such as risk management, compliance, or finance.

Best Practices and Regulatory Expectations for the Development of a Risk Appetite for Operational Risk and for a Strong Risk Culture

Regulatory Guidance on Risk Appetite for Operational Risk

The board is responsible for determining the nature and the extent of its risk appetite and internal control systems.

Defining a risk appetite implies assessing the firm’s key risks, developing limits within which the risks are acceptable, and establishing the required controls for these systems. The board directors should ensure that risk appetite and risk tolerance are defined consistently to drive the priorities of the entire control environment.

According to the 4^th principle of operational risk management, the board must identify the types and levels of operational risks a bank is willing to assume. In addition, the board should approve risk appetite and risk tolerance statements. These statements should be:

1. Be easy to communicate and understand.
2. Provide the assumptions and information used by the bank to prepare its business plan.
3. Provide reasons for taking or avoiding certain operational risks.
4. Ensure risk limits align with the bank-wide risk appetite statement.
5. Be forward-looking and subject to scenario and stress testing.

With respect to Principle 4, the board of directors should:

• Ensure that they consider all risks when approving the bank’s risk appetite and tolerance statements which provide details on risk limits and thresholds. They should also consider the bank’s strategic direction.
• Regularly review the bank’s risk appetite and tolerance statements appropriateness. During the review process, some of the factors that should be considered include changes in the external environment, changes in business or activity volumes, the effectiveness of risk management or mitigation strategies, loss experience, and the frequency, volume, or nature of limit breaches.

Regulatory guidance requires that risk appetite and risk tolerance statements be in line with the organization’s operations.

The board of directors is responsible for owning and validating the risk limits. The board usually delegates this responsibility to its risk committee.

Risk Appetite Structure and Monitoring

According to the Basel Committee on Banking Supervision (BCBS), risk appetite should include the reasons for taking or avoiding certain types of risks. The firm has to take risks to meet its objective, but avoiding risk can also cost the firm. In this regard, the risk-return tradeoff must be addressed in the risk appetite statements. Risk appetite should be consistent with the firm’s objectives and the firm’s risk management strategy. Such a well-articulated risk appetite that is strategically aligned with the firm’s objectives can be used as guidance for making important business decisions.

To demonstrate their risk appetite and tolerance for disruptions, firms must set maximum impact tolerances for critical business services. Also, in order for risk appetite and tolerance statements to be credible and actionable, they must refer to consistent key controls and systems of control.

Risk Appetite Governance

As a good practice of risk appetite, a risk owner should be assigned to each risk type; control owners to design, implement, and evaluate controls. Metrics owners collect, report, and monitor metrics that measure the organization’s risk appetite. Owners of risk are managers who manage, maintain, and monitor risk within defined appetite and tolerance limits.

Risk Culture

According to the 1^st principle of operational risk management, the bank should maintain a strong risk management culture spearheaded by the bank’s board of directors and senior managers. The bank should strive to propagate a culture of operational risk resilience where everyone understands the need to manage risk.

The board of directors and senior management play a starring role in any operational risk management framework. With respect to Principle 1, the board of directors and/or senior management should:

• Provide a sound foundation for a strong risk management culture within the bank. With a strong risk management culture and ethical business practices, the bank is less likely to experience potentially damaging operational risk events. If the bank ends up experiencing such an event, it would be better placed to deal effectively with the outcome.
• Establish a code of conduct (or ethics policy) for all employees that outline expectations for ethical behavior. The code of conduct should identify acceptable business practices and prohibited conflicts.
• Provide risk training throughout all levels of the bank. Training should consider the level of seniority, roles, and responsibilities of the trainee.

Banks with a strong risk culture are less likely to be affected by damaging operational risk events and are better positioned to deal with such events when they occur.

The board of directors must push for the implementation of risk cultures by senior management. The directors and senior management promote their organization’s risk culture through their own conduct and by setting expectations and consequences for employee conduct. In fact, employees would easily emulate what they see than what they are told.

It is easy to implement an effective risk appetite framework where there is already a strong risk culture. Success on the risk appetite journey is extremely difficult without a strong risk culture. 

To promote a strong risk culture, a firm must have well-documented policies and codes that apply to everyone in the firm. Creating awareness and alerting people of the firm’s policies and rules contributes towards a strong risk culture.

Firms should also organize training and compensation structures to reinforce the codes of contact to promote a strong risk culture. Educating all participants about operational risks embedded in activities and processes is another critical component of creating a sound risk culture.

Practice Question

A company’s operational risk is managed through several committees that make collegial decisions based on information provided by different levels of the firm’s decision-making hierarchy and information escalated by those committees.

Which of the following is the correct function of the operational risk committee?

1. Overseeing, managing, and reporting a comprehensive picture to the executive risk committee, management committee, and board risk committee.
2. Supervising the operations of a designated business division or segment and presenting an overview to the respective manager of the designated business unit.
3. Overseeing all operational risks, such as changes in the business environment, market volatility, regulatory compliance, cyber threats, and unforeseen events.
4. A thorough and ongoing assessment of significant incidents through the review and monitoring of investigations.

The correct answer is A.

The operational Risk Committee is responsible for overseeing, managing, and reporting a comprehensive picture to the executive risk committee, management committee, and board risk committee.

B is incorrect. Overseeing the activities of a specific business line or function is the responsibility of the business line operational risk committee.

C is incorrect. Overseeing all operational risks is the responsibility of the risk committee of the board.

D is incorrect. Reviewing and monitoring the investigation of large incidents is also a responsibility of the board’s risk committee.